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The  State  of  Montana  attempts  to  provide  reasonable  accommodations 
for  any  known  disability  that  may  interfere  with  a person  participating 
in  any  service,  program  or  activity  of  the  State.  Alternative  accessible 
formats  of  this  document  will  be  provided  upon  request. 
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introduction 


Information  Technology  (IT)  is  the  employment  of  computer 
hardware,  software,  networks  and  telecommunications.  The  State  of 
Montana  uses  IT  to  conduct  business,  deliver  services  and  education, 
communicate  with  colleagues  and  clients,  and  make  decisions. 

As  a state  employee,  it  is  your  responsibility  to  safeguard  the  state's  IT 
investment  by  following  these  guidelines: 

► Use  state  property  for  state  (appropriate)  purposes. 

► Protect  state  property;  keep  it  safe  and  secure. 

► Use  state  property  within  the  limits  of  that  property. 

► Protect  the  state  from  liability  resulting  from  the  misuse  of  the 
property;  use  property  legally. 

State  information  technology  property  includes  not  only  the  computers 
you  work  on,  but  also  the  software  you  use  and  the  data  you  create . 

It  is  the  responsibility  of  each  department  director  to  promote  the 
importance  of  security  matters  by  ensuring  that  all  employees  are 
provided  with  security  training  commensurate  with  their 
responsibilities. 

This  guide  will  help  state  employees  learn  proper,  secure  and  legal  use 
of  state  information  technology,  including  system  hardware,  software 
and  data. 
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Laws  and  Rules 


Legal  Guidance . Few  laws  relate  solely  to  information  technology,  but 
other  existing  laws  have  been  modified  to  include  computer  hardware, 
software  and  data. 

Federal  Law.  It  is  a federal  crime  to  use  or  distribute  unlicensed 
copies  of  copyrighted  software.  Federal  laws  relating  to  copyrights, 
patents,  and  interstate  theft  apply  to  the  information  technology  arena. 
Generally,  copyright  laws  apply  to  software;  patent  laws  apply  to 
hardware;  and  laws  on  theft  can  apply  to  hardware,  software  and  data. 

Montana  Law.  Several  Montana  laws  refer  to  the  illegal  use  of 
information  technology  resources.  See  Appendix  B>  Appendix  C and 
the  Theft  and  Destruction  section  of  this  booklet. 

Use  of  Equipment.  Section  2-2-121  MCA  (Montana  Code  Annotated). 
“A  public  officer  or  a public  employee  may  not  use  public  time, 
facilities,  equipment,  supplies,  personnel,  or  funds  for  the  officer's  or 
employee's  private  business  purposes...” 

Administrative  Rules  of  Montana . ARM  provides  guidance  on  using 
the  state’s  telecommunications  systems  for  the  conduct  of  state 
business.  These  rules  are  being  interpreted  as  having  an  effect  beyond 
traditional  telephone  usage  (see  Appendix  E). 

Montana  Operations  Manual.  The  MOM  does  not  include  legal  issues 
in  its  automated  information  systems  section.  The  MOM  does  provide 
guidance,  for  the  agency  director,  regarding  system  design  controls; 
system  documentation;  protecting  software  rights;  system  security, 
including  requiring  system-security  training  for  employees;  and  home 
access. 

The  objective  of  the  policy  on  computer  security,  MOM  1-0250.00 
( Appendix  D),  is  to  prevent  the  intentional  or  unintentional 
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modification;  destruction  or  disclosure;  or  misuse  of  data  and 
information  technology  resources. 

Policies . Each  agency  has  specific  usage  policies  that  cover  software, 
hardware,  network  and  other  telecommunication  devices.  For 
example,  games  and  game  playing  on  state-owned  equipment  are 
generally  prohibited. 


Theft  and  Destruction 


Improper  or  inappropriate  use  of  IT  resources  may  constitute  theft  or 
cause  damage  to  the  state’s  property  or  public  image.  Violators  will  be 
dealt  with  in  accordance  with  the  agency's  discipline  handling  policy. 

Unauthorized  Mainframe  Access.  All  unauthorized-access  attempts 
against  protected  data  on  the  state's  mainframe  will  cause  a violation. 
Agency  security  officers  are  provided  a daily  report  showing  activity 
against  protected  data  on  the  mainframe.  This  report  shows  either 
logging  information  about  data  activity  or  violation  information  for 
access  attempts  made  to  protected  resources.  These  reports  are 
reviewed  by  the  security  officer,  and  violators  are  contacted,  if 
necessary. 

Often  a department’s  IT  manager  also  reviews  this  report  to  provide  a 
level  of  checks  and  balances.  When  a user  receives  a message 
indicating  a violation,  he  or  she  should  contact  the  agency  security 
officer  to  have  the  problem  resolved. 

Unauthorized  Network  and  PC  (Personal  Computer)  Access. 
Unauthorized  attempts  to  access  network  data  will  be  monitored  by 
agency  network  administrators.  Specific  networks  may  have  policies 
outlining  how  violations  will  be  enforced.  For  example,  the 
SummitNet  Acceptable  Use  Policy  describes  a three-tier  approach  to 
monitoring  and  enforcement  (see  Appendix  F). 
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Reporting  Procedures.  Most  agencies  have  a Loss  Control  Officer 
who  is  responsible  for  communicating  losses  to  authorities.  This 
includes  notifying  local  law  officers,  Legislative  Audit  Division, 
Attorney  General’s  Office,  Risk  Management  and  Tort  Defense 
Division,  and  building  security. 

Computer  Use . Section  45-6-311  MCA.  As  used  in  Section  45-6-311 
MCA,  the  term  "obtain  the  use  of"  means  to  instruct,  communicate 
with,  store  data  in,  retrieve  data  from,  cause  input  to,  cause  output 
from,  or  otherwise  make  use  of  any  resources  of  a computer,  computer 
system,  or  computer  network  or  to  cause  another  to  instruct, 
communicate  with,  store  data  in,  retrieve  data  from,  cause  input  to, 
cause  output  from,  or  otherwise  make  use  of  any  resources  of  a 
computer,  computer  system,  or  computer  network. 

Unlawful  Use  of  a Computer.  Section  45-6-311  MCA. 

1)  A person  commits  the  offense  of  unlawful  use  of  a computer  if  the 
person  knowingly  or  purposely: 

a)  obtains  the  use  of  any  computer,  computer  system,  or  computer 
network  without  consent  of  the  owner; 

b)  alters  or  destroys,  or  causes  another  to  alter  or  destroy,  a 
computer  program  or  computer  software  without  consent  of  the 
owner;  or 

c)  obtains  the  use  of  or  alters  or  destroys  a computer,  computer 
system,  computer  network,  or  any  part  thereof  as  part  of  a 
deception  for  the  purpose  of  obtaining  money,  property,  or 
computer  services  from  the  owner  of  the  computer,  computer 
system,  computer  network,  or  part  thereof  or  from  any  other 
person. 

2)  A person  convicted  of  the  offense  of  unlawful  use  of  a computer 
involving  property  not  exceeding  $500  in  value  shall  be  fined  not  to 
exceed  $500,  or  be  imprisoned  in  the  county  jail  for  a term  not  to 
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exceed  6 months,  or  both.  A person  convicted  of  the  offense  of 
unlawful  use  of  a computer  involving  property  exceeding  $500  in 
value  shall  be  fined  not  more  than  2.5  times  the  value  of  the 
property  used,  altered,  destroyed,  or  obtained;  or  be  imprisoned  in 
the  state  prison  for  a term  not  to  exceed  10  years;  or  both. 

Theft  Consequences.  See  Appendix  C for  information  on  the 
consequences  of  stealing  IT  resources. 


Care  of  IT  Equipment 


IT  equipment  includes  hardware  items  such  as  CPUs  (central 
processing  units),  monitors,  keyboards,  modems  and  other 
telecommunications  devices.  These  all  need  proper  care  and  attention. 

Keyboards  are  especially  vulnerable  to  short  circuiting  when  coffee, 
pop  or  other  liquids  are  spilled  on  them. 

Care  should  be  taken  that  the  equipment  is  not  exposed  to  high 
temperatures  or  great  temperature  fluctuations.  UPSs  (uninterruptible 
power  supplies)  and  surge  protectors  should  be  used  on  computers  and 
printers  to  regulate  spikes  and  other  damaging  electrical  surges. 
Printers  (especially  laser  printers)  should  be  put  on  separate  UPSs  or 
surge  protectors.  Heaters,  coffee  pots  and  other  electrical  equipment 
should  also  be  on  a separate  surge  protector  or  outlet.  Turn  PCs  off 
during  lightning  storms,  power  plant  switching  or  winter  line  breaks. 
Do  not  turn  them  on  again  until  the  building’s  electricity  is  operating 
steadily. 

Only  anti-static  cleaners  should  be  used  on  monitors.  Never  spray 
chemicals  directly  on  them. 
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Security.  When  stored  in  a vehicle,  all  equipment  should  be  kept  out 
of  sight.  Portable  equipment  should  be  in  a secured  place  when  not  in 
use. 

Location.  Adequate  ventilation  for  equipment  should  be  provided,  and 
care  should  be  taken  so  that  the  fans  and  exhaust  vents  are  not 
obstructed.  The  network  administrator  should  be  contacted  before 
equipment  is  moved.  When  equipment  is  brought  in  from  a colder 
environment,  it  should  be  given  sufficient  time  to  warm  up  before 
being  used. 


Care  of  Data 


Computer  data  and  documents  that  you  create  are  important.  You  must 
be  responsible  for  the  accuracy,  confidentiality,  security  and  protection 
of  the  data.  Fortunately,  the  security  and  protection  of  data  that  is  stored 
on  central  file  servers,  departmental  computers  or  the  state's  mainframe 
computer  will  be  administered  by  a system  administrator  who  will  be 
responsible  for  security  and  protection  (backup)  of  the  data.  If  your  data 
is  stored  locally  on  a PC,  it  will  be  your  responsibility  to  secure  and 
backup  the  data.  (See  Passwords  within  the  Access  section,  and  the  Virus 
Scanning  section.) 

Accuracy.  Accuracy  of  information  is  critical  to  support  the  systems  with 
which  you  will  be  working  and  the  people  for  whom  you  will  be  working. 
Take  time  to  double  check  information  entered  into  a data  processing 
system.  It  is  much  easier  to  correct  information  before  it  enters  the  system 
than  to  find  and  correct  it  later.  Remember  the  saying  "Garbage  In, 
Garbage  Out." 

Confidentiality.  Confidentiality  of  information  starts  with  you,  so  follow 
policy  and  common  sense  with  regard  to  your  information.  Using  any 
information  for  gossip  or  personal  gain  is  never  appropriate. 
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Security . Security  of  information  is  your  responsibility  if  a system 
administrator  does  not  provide  it.  This  means  that  unauthorized  people 
are  not  to  have  access  to  any  privileged  data  with  which  you  work.  This 
responsibility  extends  to  taking  reasonable  steps  to  ensure  that  the 
information  can  not  be  obtained  either  accidentally  or  maliciously. 

Protection  and  Backup . Protection  of  data  usually  means  making  a 
backup,  but  it  actually  entails  more  of  a continuous  philosophy  of  making 
sure  that  the  information  can  survive  disasters,  theft,  malicious 
destruction,  unauthorized  alteration,  or  most  commonly,  human  mistakes. 
Backups  must  be: 

► made  at  intervals  determined  by  the  amount  and  criticality  of  the 
information  to  be  protected; 

► stored  in  a manner  such  that  a single  disaster  would  not  destroy 
all  copies  of  the  data;  and 

► stored  in  a way  that  prevents  access  by  unauthorized  personnel. 

Individuals  should  be  aware  of  their  agency's  backup  procedures  and 
participate  appropriately. 

Disaster  Recovery.  Your  agency  probably  also  has  a disaster  recovery 
plan.  This  plan  is  a formalized  set  of  procedures  and  actions  taken  to 
minimize  agency  losses  due  to  an  interruption  in  service.  Individuals 
should  also  be  aware  of  any  disaster  recovery  efforts  and  support  them 
if  requested. 


Virus  Scanning 


Viruses.  The  state  has  a considerable  investment  in  and  reliance  on  its 
information  technology  resources.  Problems  can  develop  when  a 
computer  is  infected  by  a virus  or  similar  subversive  software. 
Typically,  this  results  in  anything  from  destruction  of  data  to  a 
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complete  shutdown  of  a computer.  Subversive  software  is  passed  from 
one  computer  to  another  via  the  sharing  of  infected  diskettes,  or 
through  computer  networks.  As  with  a biological  virus,  the  computer 
user  is  unaware  that  he  or  she  may  be  contributing  to  the  spread  of  a 
virus  through  the  use  of  an  infected  diskette  or  network. 

All  computers  are  vulnerable  to  viruses.  At  the  beginning  of  1997 
there  were  more  than  8,000  identified  computer  viruses,  and  the  list  is 
growing.  Viruses  have  become  so  common  that  it  is  rare  to  find  a 
large  organization  that  has  not  been  affected  at  some  time,  and  the  State 
of  Montana  is  no  exception.  In  fact,  reports  of  virus  infections  are 
logged  every  week,  and  the  state  has  been  seeing  a large  jump  in 
reported  viruses,  possibly  because  of  improved  virus  scanning  software 
and  increased  virus  activity. 

In  recent  years,  far  more  complicated  virus  strains  have  been 
developed,  and  they  often  have  malicious  side  effects.  Using  scanners 
(virus  detection  software)  that  were  adequate  last  year  may  not  be 
effective  now.  It  is  extremely  important  that  only  the  latest  versions  of 
the  virus  scanning  software  be  used,  and  that  they  be  used  regularly. 

Scanning  Software . Many  agencies  have  recently  changed  their 
internal  policy  to  include  a daily  virus  scan.  This  is  important  because 
of  the  increase  in  virus  activity.  Also,  improvements  in  viral  detection 
software  allow  these  scans  to  be  done  much  faster.  One  of  the  best 
defenses  against  virus  infection  is  to  make  sure  your  computer  does  not 
boot  (start  up)  from  the  A:  drive.  It  is  estimated  that  80  percent  of 
viruses  are  transmitted  through  the  boot  process.  Newer  computer 
models  may  have  a setup  option  that  prevents  the  computer  from 
booting  from  the  A:  drive. 

The  state  receives  much  data  on  diskettes  from  outside  agencies  and 
individuals,  and  these  disks  should  be  scanned  before  being  used.  Even 
shrink-wrapped  software  received  from  manufacturers  should  be 
scanned  since  software  companies  are  also  susceptible  to  viruses.  In 
addition,  files  received  from  BBSs  (bulletin  board  systems),  the  Internet 
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and  e-mail  (electronic  mail)  should  be  scanned  before  use,  per  agency 
policy. 

Out-going  diskettes  should  also  be  scanned.  This  practice  can  be 
especially  important  if  a diskette  is  later  found  to  be  infected.  By 
knowing  the  disk  was  clean  when  it  left  your  office,  the  true  source  of 
the  infection  can  be  more  easily  tracked.  The  more  hands  a diskette 
passes  through  before  being  scanned,  the  more  difficult  it  becomes  to 
trace  the  virus  source. 

The  newest  versions  of  virus  scanners  use  what  is  called  on-access 
scanning.  Previously,  virus  scanning  software  used  on-demand 
scanning,  which  means  that  it  only  ran  when  you  initiated  it. 

On-access  scanning  runs  all  of  the  time  in  the  background,  checking 
files  as  they  are  copied,  moved,  renamed,  or  executed.  This  adds  some 
processing  overhead  to  the  computer  system,  but  it  offers  the  user  the 
best  protection. 

Remember,  the  cost  of  cleaning  up  a virus  attack  can  be  extremely 
high,  in  terms  of  time  and  money.  So  a little  time  invested  in 
prevention  and  scanning  can  pay  dividends  tomorrow. 


Software  Idcehsmg 


The  following  definitions  are  from  Prentice  Hall's  Illustrated 
Dictionary  of  Computing. 

Software  Definitions 

Freeware.  Utilities  and  software  programs  (under  copyright)  made 
available  to  the  public  free  of  charge. 

Shareware . Software  which  is  protected  under  copyright  and  made 
available  to  users  on  a trial  basis,  on  the  condition  that  if  the  program  is 
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adopted,  the  user  will  forward  payment  to  the  author.  Shareware  is 
often  distributed  via  mail  order  or  copied  from  public  bulletin  boards. 
This  differs  from  public  domain  software  which  is  available  for  use  free 
of  charge  because  it  is  not  protected  under  copyright. 

Software.  A computer  program;  a set  of  instructions  written  in  a 
specific  language  that  commands  the  computer  to  perform  various 
operations  on  data  contained  in  the  program  or  supplied  by  the  user. 

License  Definitions 

License  Agreement . The  agreement  that  accompanies  computer 
software.  Read  it!  It  may  be  stated  explicitly  — in  the  software 
documentation  or  on  the  computer  screen  when  the  program  is  opened 
— or  implicitly,  in  the  purchase  price  of  the  software.  In  most 
countries,  the  legal  purchase  of  software  licenses  the  software  user  to 
make  one  backup  copy  only,  in  case  the  original  software  disk 
malfunctions  or  is  destroyed. 

Site  License.  A license  from  a software  publisher  which  permits  an 
organization  to  make  a large  number  (limited)  of  copies  of  the  software 
in  order  to  equip  all  network  users  with  personal  or  shared  copies  of 
the  program.  This  is  generally  far  cheaper  than  purchasing  multiple 
copies  of  the  package.  License  terms  can  be  perpetual  or  restricted  to  a 
number  of  months  or  years. 

Network  Licensing.  On  many  networks,  there  is  not  a one-to-one 
relationship  between  the  number  of  users  and  the  number  of  software 
licenses  for  a certain  product.  This  is  because  some  network  licenses 
require  only  that  licenses  be  purchased  for  the  number  of  concurrent 
users.  For  example,  a state  agency  with  a network  of  30  PCs  may 
purchase  only  10  Lotus  1-2-3  licenses.  Anyone  in  the  agency  can  use 
Lotus,  but  only  10  people  at  a time  will  be  allowed  access.  This  is 
very  cost  effective  for  agencies  with  many  staff  making  limited  use  of  a 
software  package. 
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Work/Home  Licensing.  Each  software  publisher  has  unique  guidelines 
and  requirements  for  their  own  products.  Home  use  depends  on  the 
specific  license  terms  and  conditions  of  the  software.  In  the  case  of 
network  software,  contact  your  network  administrator.  The  network 
administrator  can  research  the  license  of  the  software  you  are  interested 
in  using  at  home  and  make  you  aware  of  the  parameters. 

Copyright  Laws 

Software  Piracy.  The  criminal  act  of  making  or  distributing  for 
financial  gain,  an  unauthorized  copy  (or  copies)  of  a copyrighted 
software  product. 

It  is  illegal  to:  1)  copy  or  distribute  software  or  its  accompanying 
documentation,  including  programs,  applications,  data,  codes,  and 
manuals,  without  permission  or  license  from  the  copyright  owner;  and 
2)  run  purchased,  copyrighted  software  on  two  or  more  computers 
simultaneously  unless  the  license  agreement  specifically  allows  it. 

Copyright  infringement  is  a crime!! 

Business  Software  Alliance  (BSA),  which  is  comprised  of  the  nation's 
leading  software  producers,  estimates  that  as  much  as  35  percent  of  all 
business  software  is  pirated.  Software  producers  regard  piracy  as  theft 
of  a company's  products. 


Access 


State  agency  computers  are  storehouses  of  valuable  information 
governing  and  detailing  all  facets  of  the  agency's  internal  operations;  its 
relationships  with  other  regulatory  agencies  and  the  public;  legal 
matters;  personnel  documentation  and  other  information.  The  data  in 
these  files  can  be  easily  copied,  moved,  changed  or  destroyed.  In  hard 
copy,  much  of  this  information  is  stored  in  vaults  or  locked  file 
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cabinets.  Equivalent  protection  should  be  afforded  the  electronic 
versions  of  this  information. 

Data  dissemination . Follow  agency  policy  guidelines  regarding  data 
dissemination.  Some  information  may  be  subject  to  confidentiality 
requirements. 

Logon  IDs.  Logon  IDs  (also  called  login  IDs,  logins,  logons,  etc.)  are 
used  on  networks,  on  mainframe  systems  and  by  dial-up  services. 

They  identify  the  user  to  the  computer.  The  computer  uses  the  logon 
ID  to  route  the  user  to  the  drive(s),  directory(ies),  or  other  areas  to 
which  the  user  has  been  granted  access  by  the  system  administrator. 
The  ID  is  assigned  to  the  user  by  the  administrator  according  to 
protocols  built  into  the  system  software. 

Passwords.  Passwords  are  alphanumeric  combinations  unique  to 
individual  users.  When  used  in  conjunction  with  logon  IDs,  passwords 
provide  an  additional  level  of  security.  Three  incorrect  password 
attempts  will  disable  the  use  of  the  associated  logon  ID  and  prohibit 
access  to  a network.  In  this  case,  the  network  administrator  must  be 
contacted. 

The  Montana  Operations  Manual  (1-0250.00  Information  System 
Security;  see  Appendix  D of  this  booklet)  recommends  the  following 
password  standards.  Passwords  should: 

► be  at  least  six  (6)  characters  long; 

► be  changed  at  least  every  60  days;  and 

► contain  at  least  one  (1)  numeric  and  one  (1)  alphabetic 
character. 

Passwords  should  not  be: 

► obvious  or  easily  guessed  (such  as  the  user's  name,  address,  or 
birth  date;  or  the  name  of  a child  or  spouse); 

► reused  for  at  least  four  (4)  cycles; 
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► written  down  where  they  can  be  found  by  unauthorized 
personnel;  or 

► shared  with  other  individuals. 

Passwords  are  important.  Use  them  and  protect  them! 

Logging  Off  the  System.  If  an  employee's  computer  will  be  left 
unattended  for  20  minutes  or  more,  it  is  a good  idea  to  log  off  of  the 
network  or  have  the  screen  protected  by  a password.  Also,  at  the  end 
of  the  day,  all  employees  must  close  down  all  files  and  log  off  of  the 
network.  Turning  off  the  monitor  is  not  the  same  as  logging  off! 


Remote  Access 


Many  agencies  have  policies  relating  to  the  access  of  departmental 
computer  systems  from  remote  sites  (such  as  an  employee’s  home)  via 
an  employee’s  personal  equipment  or  departmental  equipment  (for 
example,  a notebook  computer).  Such  situations  are  possible  due  to  the 
capabilities  (and  opportunities)  of  today’s  dial-up  access  and  networked 
services  like  Internet.  Agency  policies  outline  appropriate  use  of 
remote  access  and  the  conditions  under  which  this  use  is  granted. 

The  process  to  obtain  access  authorization  may  include  the  signing  of 
documents  containing  verbiage  like  this: 

Dial-In  Authorization 

This  is  authorization  to  dial  in  to  the  computer  system. 

This  is  not  authorization  for  compensation  for  work  done 
at  home.  Compensation  for  work  done  at  home  must  fall 
under  agency  policy. 

Today’s  electronic  communications  capabilities  via  computer  systems 
and  networks  are  extensive,  and  with  time,  these  capabilities  will 
expand  significantly.  Such  capabilities  represent  an  opportunity  for 
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increasing  employee  productivity.  For  example,  employees  can  dial  up 
a department’s  computer  system  directly  from  their  home  in  order  to 
retrieve  or  send  e-mail  messages. 

Remember,  access  to  State  of  Montana  resources  is  for  the  benefit  of 
the  State  of  Montana. 


State  StcmdardsmMardware 


Compatible  IT  hardware  and  software  are  necessary  due  to:  1)  the 
growth  in  the  number  of  PCs  and  computer  networks;  and  2)  ISD's 
(Information  Services  Division,  Dept,  of  Administration)  responsibility 
for  establishing  an  enterprise  network. 

Benefits  of  State  Standards 

► Training  costs  are  lower  for  the  technical  staff  supporting  the 
hardware,  the  networks  or  the  software  applications. 

► Fewer  resources  are  needed  to  support  a standardized 
environment  than  a totally  customized  one. 

► Network  connectivity  is  facilitated. 

► Data/information  sharing  is  enhanced. 

► Employee  skills  are  easily  transferred  within  and  between 
agencies. 

► Purchasing  is  streamlined,  and  volume  discounts  apply. 

► Troubleshooting  time  is  reduced. 
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► Enterprise-wide  upgrades  of  hardware  and  software  can  be 
accomplished  more  cost  effectively  and  efficiently  when  the 
existing  installed  base  is  standardized. 

Possible  Disadvantages  of  State  Standards 

► State  standards  are  not  always  a perfect  match  for  an  agency’s 
specific  IT  needs. 

► A large  investment  in  one  technology  may  make  it  very 
difficult  to  switch  to  a new  standard  if  the  need  arises.  The 
state  cannot  afford  to  invest  in  several  different  technical 
directions,  or  quickly  adopt  new  technologies. 

Standardization  may  mean  compromise  and  consolidation,  but  it  will 
allow  the  state  to  leverage  its  investment  in  data  processing  staff  and 
technology  and  maximize  resource-sharing  opportunities. 

Current  Standards 

Software.  There  are  specific  state  standards  for  microcomputer 
software  and  for  supported  mainframe  software.  State  needs  are 
constantly  being  evaluated,  and  the  products  supported  do  change  with 
time.  Standards  are  adopted  in  a collaborative  effort  between  ISD 
(Information  Services  Division,  Dept,  of  Administration),  ITMG 
(Information  Technology  Managers  Group),  and  IT  AC  (Information 
Technology  Advisory  Council). 

The  following  table  lists  some  of  the  more  common  standards.  For 
additional  information,  contact  your  agency  IT  personnel  or  End  User 
Systems  Support  at  ISD  (406/444-2700). 
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State  Software  Standards 

Application 

Standard 

Word  Processing 

WordPerfect 

Spreadsheets 

Lotus  1-2-3 

Electronic  Mail  (e-mail) 

ZIP  !Mail/ZIP!  Office* 

Operating  System 

DOS,  Windows 

Network  Operating  System 

NetWare 

Client/Server  Database 

Oracle 

End-User  Database 

Lotus  Approach 

Relational  Database 

IDMS 

...and  many , many  more 

* It  is  anticipated  that  during  1997  ZIP!Mail/ZIP!Office  will  be  replaced  by  a 
new,  state,  e-mail  standard. 


Hardware.  The  state  has  also  established  term  contracts  for  personal 
computers.  Currently,  agencies  have  a choice  of  equipment  provided 
by  IBM,  DEC  and  Dell.  This  hardware  is  guaranteed  to  be  compatible 
with  the  state's  network  environment,  thereby  easing  installation  and 
support  requirements. 
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Frequently  Asked  Questions 


May  I move  my  computer  to  a new  location? 

Call  your  network  administrator  first  to  make  sure  the  change 
won't  affect  the  current  configuration.  If  you  are  moving  to  a new 
room,  the  network  administrator  will  be  able  to  verify  if  network 
wiring  is  in  place  and  order  new  wiring  if  needed. 

I have  software  that  I bought  myself  — may  I load  it  on  my  state 
PC? 

No.  Check  with  your  network  administrator.  State  standards  and 
agency  guidelines  must  be  followed.  Unauthorized  software  is  not 
allowed  on  agency  PCs.  Installation  of  software  without  the 
guidance  of  your  agency  network  administrator  can  affect  the 
configuration  of  the  PC  in  question  and  jeopardize  the  integrity  of 
the  entire  network. 

What  can  I do  to  prevent  viruses? 

Use  virus  scanning  software  anytime  you  insert  a diskette  into  your 
PC  — even  if  that  diskette  comes  from  a "reliable"  source  like  the 
federal  government  or  a software  vendor. 

Should  I password  protect  my  individual  flies? 

No.  If  you  are  secure  in  your  use  of  passwords  (login  and  screen 
saver),  you  should  not  need  to  password  protect  individual  files. 
Instead,  highly  sensitive  files  may  be  moved  to  a protected  network 
directory  that  restricts  access. 
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What  about  typing  letters  for  personal  business? 

Letters  written  using  state  time  or  state  resources  on  behalf  of  an 
organization,  to  an  organization,  or  regarding  a personal  outside 
business  are  not  acceptable.  This  applies  to  both  profit  and 
non-profit  organizations.  This  means  you  cannot  write  letters  for 
your  at-home  mail-order  business  on  a state  computer;  you  cannot 
print  letters  for  your  scouting  organization  on  a state  printer;  and 
you  certainly  cannot  do  activities  like  these  on  state  time. 
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Section  2-15-114  MCA 

Security  responsibilities  of  departments  for  data  and  information 
technology  resources.  Each  department  head  is  responsible  for 
assuring  an  adequate  level  of  security  for  all  data  and  information 
technology  resources  within  his  department  and  shall: 

(1)  develop  and  maintain  written  internal  policies  and  procedures 
to  assure  security  of  data  and  information  technology 
resources.  The  internal  policies  and  procedures  are 
confidential  information  and  exempt  from  public  inspection, 
except  that  such  information  must  be  available  to  the 
legislative  auditor  in  performing  his  post-auditing  duties; 

(2)  designate  an  information  security  manager  to 
administer  the  department's  security  program 
for  data  and  information  technology  resources; 

(3)  implement  appropriate  cost-effective 
safeguards  to  reduce,  eliminate,  or  recover 
from  identified  threats  to  data  and  information 
technology  resources; 

(4)  ensure  internal  evaluations  of  the  security 
program  for  data  and  information  technology 
resources  are  conducted.  The  results  of  such 
internal  evaluations  are  confidential  and 
exempt  from  public  inspection,  except  that 
such  information  must  be  available  to  the 
legislative  auditor  in  performing  his  post- 
auditing  duties; 

(5)  include  appropriate  security  requirements,  as 
determined  by  the  department,  in  the  written 
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specifications  for  the  department's  solicitation 
of  data  and  information  technology  resources; 
and 

(6)  maintain  an  information  technology  plan, 

including  a general  description  of  the  existing 
security  program  and  future  plans  for  assuring 
security  of  data  and  information  technology 
resources. 
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Only  pertinent  definitions  have  been  included  from  the  following 
statute. 

Section  45-2-101  MCA 

General  definitions.  Unless  otherwise  specified  in  the  statute,  all 
words  will  be  taken  in  the  objective  standard  rather  than  in  the 
subjective,  and  unless  a different  meaning  plainly  is  required,  the 
following  definitions  apply  in  this  title: 

(4)  " Benefit " means  gain  or  advantage  or  anything  regarded  by 

the  beneficiary  as  gain  or  advantage,  including  benefit  to  any 
other  person  or  entity  in  whose  welfare  the  beneficiary  is 
interested.  Benefit  does  not  include  an  advantage  promised 
generally  to  a group  or  class  of  voters  as  a consequence  of 
public  measures  that  a candidate  engages  to  support  or 
oppose. 

(7)  "Common  scheme  " means  a series  of  acts  or  omissions 
motivated  by  a purpose  to  accomplish  a single  criminal 
objective  or  by  a common  purpose  or  plan  that  results  in  the 
repeated  commission  of  the  same  offense  or  that  affects  the 
same  person  or  the  same  persons  or  the  property  of  the  same 
person  or  persons. 

(8)  "Computer"  means  an  electronic  device  that  performs 
logical,  arithmetic,  and  memory  functions  by  the 
manipulation  of  electronic  or  magnetic  impulses  and  includes 
all  input,  output,  processing,  storage,  software,  or 
communication  facilities  that  are  connected  or  related  to  that 
device  in  a system  or  network. 
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(9)  " Computer  network”  means  the  interconnection  of 
communication  systems  between  computers,  or  computers 
and  remote  terminals. 

(10)  " Computer  program”  means  an  instruction  or  statement  or  a 
series  of  instructions  or  statements,  in  a form  acceptable  to  a 
computer,  that  in  actual  or  modified  form  permits  the 
functioning  of  a computer  or  computer  system  and  causes  it 
to  perform  specified  functions. 

(11)  "Computer  services”  include  but  are  not  limited  to  computer 
time,  data  processing,  and  storage  functions. 

(12)  "Computer  software"  means  a set  of  computer  programs, 
procedures,  and  associated  documentation  concerned  with  the 
operation  of  a computer  system. 

(13)  "Computer  system"  means  a set  of  related,  connected,  or 
unconnected  devices,  computer  software,  or  other  related 
computer  equipment. 

(14)  "Conduct”  means  an  act  or  series  of  acts  and  the 
accompanying  mental  state. 

( 1 7)  "Deception  " means  knowingly  to : 

(a)  create  or  confirm  in  another  an  impression  that  is  false 
and  that  the  offender  does  not  believe  to  be  true; 

(b)  fail  to  correct  a false  impression  that  the  offender 
previously  has  created  or  confirmed; 

(c)  prevent  another  from  acquiring  information  pertinent  to 
the  disposition  of  the  property  involved; 

(d)  sell  or  otherwise  transfer  or  encumber  property  without 
disclosing  a lien,  adverse  claim,  or  other  legal 
impediment  to  the  enjoyment  of  the  property,  whether  the 
impediment  is  or  is  not  of  value  or  is  or  is  not  a matter  of 
official  record;  or 
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(e)  promise  performance  that  the  offender  does  not  intend  to 
perform  or  knows  will  not  be  performed.  Failure  to 
perform,  standing  alone,  is  not  evidence  that  the  offender 
did  not  intend  to  perform. 

(19)  " Deprive  " means  to  withhold  property  of  another: 

(a)  permanently; 

(b)  for  such  a period  as  to  appropriate  a portion  of  its  value; 

(c)  with  the  purpose  to  restore  it  only  upon  payment  of 
reward  or  other  compensation;  or 

(d)  to  dispose  of  the  property  and  use  or  deal  with  the 
property  so  as  to  make  it  unlikely  that  the  owner  will 
recover  it. 

(25)  "Harm"  means  loss,  disadvantage,  or  injury  or  anything  so 
regarded  by  the  person  affected,  including  loss,  disadvantage, 
or  injury  to  any  person  or  entity  in  whose  welfare  the 
affected  person  is  interested. 

(33)  "Knowingly"  — a person  acts  knowingly  with  respect  to 
conduct  or  to  a circumstance  described  by  a statute  defining 
an  offense  when  the  person  is  aware  of  the  person's  own 
conduct  or  that  the  circumstance  exists.  A person  acts 
knowingly  with  respect  to  the  result  of  conduct  described  by 
a statute  defining  an  offense  when  the  person  is  aware  that  it 
is  highly  probable  that  the  result  will  be  caused  by  the 
person's  conduct.  When  knowledge  of  the  existence  of  a 
particular  fact  is  an  element  of  an  offense,  knowledge  is 
established  if  a person  is  aware  of  a high  probability  of  its 
existence.  Equivalent  terms,  such  as  "knowing”  or  "with 
knowledge , ” have  the  same  meaning. 

(37)  "Negligently  " — a person  acts  negligently  with  respect  to  a 
result  or  to  a circumstance  described  by  a statute  defining  an 
offense  when  the  person  consciously  disregards  a risk  that  the 
result  will  occur  or  that  the  circumstance  exists  or  when  the 
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person  disregards  a risk  of  which  the  person  should  be  aware 
that  the  result  will  occur  or  that  the  circumstance  exists.  The 
risk  must  be  of  a nature  and  degree  that  to  disregard  it 
involves  a gross  deviation  from  the  standard  of  conduct  that  a 
reasonable  person  would  observe  in  the  actor's  situation. 
"Gross  deviation  " means  a deviation  that  is  considerably 
greater  than  lack  of  ordinary  care.  Relevant  terms,  such  as 
"negligent"  and  "with  negligence , " have  the  same  meaning. 

(38)  "Obtain"  means: 

(a)  in  relation  to  property,  to  bring  about  a transfer  of 
interest  or  possession,  whether  to  the  offender  or  to 
another;  and 

(b)  in  relation  to  labor  or  services,  to  secure  the  performance 
of  the  labor  or  service. 

(39)  "Obtains  or  exerts  control"  includes  but  is  not  limited  to  the 
taking;  the  carrying  away;  or  the  sale,  conveyance,  or 
transfer  of  title  to,  interest  in,  or  possession  of  property. 

(46)  "Owner"  means  a person  other  than  the  offender  who  has 
possession  of  or  any  other  interest  in  the  property  involved, 
even  though  the  interest  or  possession  is  unlawful,  and 
without  whose  consent  the  offender  has  no  authority  to  exert 
control  over  the  property. 

(54)  "Property"  means  any  tangible  or  intangible  thing  of  value. 
Property  includes  but  is  not  limited  to: 

(i)  food  and  drink,  samples,  cultures,  microorganisms, 
specimens,  records,  recordings,  documents,  blueprints, 
drawings,  maps,  and  whole  or  partial  copies, 
descriptions,  photographs,  prototypes,  or  models  thereof; 

(j)  any  other  articles,  materials,  devices,  substances,  and  any 
whole  or  partial  copies,  descriptions,  photographs, 
prototypes,  or  models  thereof  that  constitute,  represent, 
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evidence,  reflect,  or  record  secret  scientific,  technical, 
merchandising,  production,  or  management  information 
or  a secret  designed  process,  procedure,  formula, 
invention,  or  improvement;  and 
(k)  electronic  impulses,  electronically  processed  or  produced 
data  or  information,  commercial  instruments,  computer 
software  or  computer  programs,  in  either  machine-  or 
human-readable  form,  computer  services,  any  other 
tangible  or  intangible  item  of  value  relating  to  a 
computer,  computer  system,  or  computer  network,  and 
any  copies  thereof. 

(65)  " Stolen  property  " means  property  over  which  control  has 
been  obtained  by  theft. 
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Only  pertinent  definitions  have  been  included  from  the  following 
statute. 

Section  45-6-301  MCA.  Theft. 

(1)  A person  commits  the  offense  of  theft  when  the  person 
purposely  or  knowingly  obtains  or  exerts  unauthorized 
control  over  property  of  the  owner  and: 

(a)  has  the  purpose  of  depriving  the  owner  of  the  property; 

(b)  purposely  or  knowingly  uses,  conceals,  or  abandons  the 
property  in  a manner  that  deprives  the  owner  of  the 
property;  or 

(c)  uses,  conceals,  or  abandons  the  property  knowing  that 
the  use,  concealment,  or  abandonment  probably  will 
deprive  the  owner  of  the  property. 

(2)  A person  commits  the  offense  of  theft  when  the  person 
purposely  or  knowingly  obtains  by  threat  or  deception  control 
over  property  of  the  owner  and: 

(a)  has  the  purpose  of  depriving  the  owner  of  the  property; 

(b)  purposely  or  knowingly  uses,  conceals,  or  abandons  the 
property  in  a manner  that  deprives  the  owner  of  the 
property;  or 

(c)  uses,  conceals,  or  abandons  the  property  knowing  that 
the  use,  concealment,  or  abandonment  probably  will 
deprive  the  owner  of  the  property. 

(3)  A person  commits  the  offense  of  theft  when  the  person 
purposely  or  knowingly  obtains  control  over  stolen  property 
knowing  the  property  to  have  been  stolen  by  another  and: 

(a)  has  the  purpose  of  depriving  the  owner  of  the  property; 
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(b)  purposely  or  knowingly  uses,  conceals,  or  abandons  the 
property  in  a manner  that  deprives  the  owner  of  the 
property;  or 

(c)  uses,  conceals,  or  abandons  the  property  knowing  that 
the  use,  concealment,  or  abandonment  probably  will 
deprive  the  owner  of  the  property. 

(6)  (a)  A person  convicted  of  the  offense  of  theft  of  property  not 

exceeding  $500  in  value  shall  be  fined  not  to  exceed  $500 
or  be  imprisoned  in  the  county  jail  for  any  term  not  to 
exceed  6 months,  or  both.  A person  convicted  of  a 
second  offense  shall  be  fined  $500  or  be  imprisoned  in 
the  county  jail  for  a term  not  to  exceed  6 months,  or 
both.  A person  convicted  of  a third  or  subsequent 
offense  shall  be  fined  $1,000  and  be  imprisoned  in  the 
county  jail  for  a term  of  not  less  than  30  days  or  more 
than  6 months. 

(b)  A person  convicted  of  the  offense  of  theft  of  property 
exceeding  $500  in  value...  shall  be  fined  not  to  exceed 
$50,000  or  be  imprisoned  in  the  state  prison  for  any  term 
not  to  exceed  10  years,  or  both. 
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Section  1-0250.00  MOM.  Information  System 
Security. 

Policy  and  Objectives. 

(a)  It  is  the  policy  of  the  Department  of  Administration  that 
agencies  are  responsible  for  implementing  security  measures 
for  the  protection  of  their  data  and  information  technology 
resources. 

(b)  It  is  the  objective  of  this  policy  to  prevent  the  intentional  or 
unintentional  modification,  destruction  or  disclosure,  or 
misuse  of  data  and  information  technology  resources. 

Definitions . 

"Data  and  Information  Technology  Resources"  includes 
mainframe,  midtier  systems,  microcomputer  hardware,  peripherals, 
software,  special  forms,  personnel,  facility  resources,  maintenance, 
training,  electronically  stored  data,  telecommunications/data 
networks  or  other  related  resources. 

"Information  Technology  Plan  " means  a documented  plan  that 
includes  at  minimum  the  agency’s  contingency  plan,  security  plan, 
disaster  recovery  and  policies  relating  to  the  management  and  use 
of  the  agency’s  data  and  information  technology  resources. 

"UserlD"  will  be  used  generically  to  refer  to  logonID,  loginID, 
userlD,  account,  or  any  other  term  used  to  define  a user's 
resources  and  privileges  on  a computer,  computer  system  or 
network. 
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"Password”  means  an  alphanumeric  combination  unique  to 
individual  users  that  in  conjunction  with  the  UserlD  allows  a user 
access  to  a specific  computer,  network  or  computer  system. 

Unlawful  Use  of  a Computer . 

(1)  A person  commits  the  offense  of  unlawful  use  of  a computer 
(MCA  45-6-311)  if  he  knowingly  or  purposely: 

(a)  obtains  the  use  of  any  computer,  computer  system,  or 
computer  network  without  the  consent  of  the  owner; 

(b)  alters  or  destroys  or  causes  another  to  alter  or  destroy  a 
computer  program  or  computer  software  without  the 
consent  of  the  owner; 

(c)  obtains  the  use  of  or  alters  or  destroys  a computer, 
computer  system,  computer  network,  or  any  part  thereof 
as  part  of  a deception  for  the  purpose  of  obtaining 
money,  property,  or  computer  services  from  the  owner  of 
the  computer,  computer  system,  computer  network,  or 
part  thereof  or  from  any  other  person. 

(2)  "Obtains  the  use  of”  means  to  instruct,  communicate  with, 
store  data  in,  retrieve  data  from,  cause  input  to,  cause  output 
from,  or  otherwise  make  use  of  any  resources  of  a computer, 
computer  system,  or  computer  network,  or  to  cause  another 
to  instruct,  communicate  with,  store  data  in,  retrieve  data 
from,  cause  input  to,  cause  output  from,  or  otherwise  make 
use  of  any  resources  of  a computer,  computer  system,  or 
computer  network. 

Security  Legislation. 

The  Legislature  has  provided  for  the  security  of  data  and  information 
technology  resources  and  established  the  responsibilities  of  state 
agencies,  the  Board  of  Regents,  the  Supreme  Court  and  the  Department 
of  Administration  (MCA  2-15-114,  2-17-503,  3-2-605,  20-25-301, 
45-6-311  and  other  applicable  code  sections). 
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Agency  Responsibilities . 

Each  department  head  is  responsible  for  assuring  an  adequate  level  of 
security  for  all  data  and  information  technology  resources  within  the 
department  and  shall: 

(a)  Promote  the  importance  of  security  matters  by  insuring  that 
everyone  having  access  to  protected  resources,  i.e., 
employees,  contractors,  other  government  agencies  or  any 
other  person  are  provided  with  security  training 
commensurate  with  their  responsibilities; 

(b)  Develop  and  maintain  written  internal  policies  and 
procedures  to  assure  security  of  data  and  information 
technology  resources.  The  internal  policies  and  procedures 
are  confidential  information  and  exempt  from  public 
inspection,  except  that  such  information  must  be  available  to 
the  legislative  auditor  for  performing  his  post-auditing  duties; 

(c)  Designate  an  information  security  manager  to  administer  the 
department’s  security  program  for  data  and  information 
technology  resources  and  insure  that  the  security  manager 
participates  in  ISD  security  training  programs  on  a regular 
basis  to  learn  and  maintain  knowledge  and  skills; 

(d)  Implement  appropriate  cost-effective  safeguards  to  reduce, 
eliminate,  or  recover  from  identified  threats  to  data  and 
information  technology  resources; 

(e)  Ensure  that  periodic  internal  evaluations  of  the  security 
program  for  data  and  information  technology  resources  are 
conducted.  The  results  of  such  internal  evaluations  are 
confidential  and  exempt  from  public  inspection,  except  that 
such  information  must  be  available  to  the  legislative  auditor 
in  performing  his  post-auditing  duties; 

(f)  Include  appropriate  security  requirements,  as  determined  by 
the  department,  in  the  written  specifications  when  soliciting 
services  for  the  department’s  data  and  information  technology 
resources; 

(g)  Maintain  an  information  technology  plan,  including  a general 
description  of  the  existing  security  program  and  future  plans 
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for  assuring  security  of  data  and  information  technology 
resources. 

Department  of  Administration  Responsibilities . 

The  Department  of  Administration  is  responsible  for  centralized 
management  and  coordination  of  State  policies  for  security  of  data  and 
information  technology  resources  and  shall: 

(a)  Establish  and  maintain  the  minimum  security  standards  and 
policies  to  implement  the  department’s  responsibilities, 
including  physical  security  of  central  and  backup  computer 
facilities; 

(b)  Establish  standards  and  guidelines  to  assist  agencies  in 
carrying  out  their  responsibility  to  assure  adequate  security 
for  all  data  and  information  technology  resources; 

(c)  Establish  guidelines  to  assist  agencies  in  identifying  electronic 
data  processing  personnel  occupying  positions  of  special  trust 
or  responsibility  or  sensitive  locations; 

(d)  Establish  standards  and  policies  for  the  exchange  of  data 
between  data  centers  or  departments  by  hardwired  or  non- 
dedicated  telecommunications  to  ensure  that  exchanges  do  not 
jeopardize  security  and  confidentiality; 

(e)  Coordinate  and  provide  for  a training  program  regarding 
security  of  data  and  information  technology  resources  to 
serve  governmental  technical  and  managerial  needs; 

(f)  Assure  that  training  is  made  available  to  new  agency  security 
managers  as  soon  as  possible  after  their  designation; 

(g)  Include  appropriate  security  requirements  in  the  specifications 
for  solicitation  of  state  contracts  for  procuring  data  and 
information  technology  resources; 

(h)  Upon  request,  provide  technical  and  managerial  assistance 
relating  to  the  security  program. 
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State  Standards  for  Information  Technology  Passwords . 

State  agencies  and  their  employees  shall  follow  these  standards  when 
establishing  passwords  for  users,  networks,  computer  systems  or  other 
information  technology  resources: 

(a)  Passwords  must  be  at  least  six  (6)  characters  long; 

(b)  Passwords  must  contain  at  least  one  (1)  numeric  and  one  (1) 
alphabetic  character; 

(c)  Passwords  must  not  be  obvious  or  easily  guessed  (userlD, 
user's  name,  address,  birth  date,  child's  name,  spouse's 
name); 

(d)  Passwords  must  be  changed  at  least  every  60  days; 

(e)  Passwords  must  not  be  reused  for  at  least  four  (4)  cycles; 

(f)  Passwords  must  not  be  written  down  where  they  can  be  found 
by  unauthorized  personnel; 

(g)  Passwords  must  not  be  shared  with  other  individuals. 

State  Standards  for  Disposal  of  Computers. 

State  agencies  and  their  employees  shall  follow  these  standards  when 
disposing  of  a computer,  including  transferring  a computer  to  the 
surplus  property  program: 

(a)  All  agency  data  and  licensed  software  must  be  removed  from 
the  computer  in  such  a manner  that  it  cannot  be  recovered; 

(b)  All  computers  transferred  to  the  State's  surplus  property 
program  must  have  appropriate  certification  attached  to  the 
computer  as  required  by  the  Procurement  and  Printing 
Division. 
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Section  1-0250.10  MOM.  Information  Access  Control. 
Definitions. 

"Data  and  Information  Technology  Resources  " means  data  processing 
mainframe,  microcomputer  hardware,  peripherals,  software,  special 
forms,  personnel,  facility  resources,  maintenance,  training, 
electronically  stored  data,  or  other  related  resources. 

Mainframe  Access  Control. 

(1)  The  Department  of  Administration  provides  a software  tool 
called  Access  Control  Facility-2  (ACF2)  for  the  protection  of 
data  stored  on  the  central  mainframe.  Agency  security 
officers  are  required  to  write  rules  using  ACF2  to  designate 
who  is  permitted  to  access  which  datasets  and  records. 

(2)  Unauthorized  access  to  production  datasets  will  be  prohibited 
unless  the  agency  security  officer  specifies  rules  to  the 
contrary.  Datasets  are  considered  production  if  the  prefix  of 
the  dataset  name  begins  with  an  authorized  dataset  prefix 
(sometimes  referred  to  as  an  "authorized  node").  The 
Department  of  Administration’s  Central  Security  Office  shall 
maintain  a list  of  authorized  prefixes. 

(3)  If  information  is  financial  or  sensitive  in  nature,  custom 
security  techniques  should  be  developed  that  allow  additional 
controls.  If  the  disclosure  risk  is  high,  the  custom  security 
system  should  encrypt  user  sign-ons. 

User  Identification. 

(1)  In  an  effort  to  control  the  unauthorized  use  of  mainframe 
logon  identification  numbers,  the  Department  of 
Administration: 
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(a)  advocates  assignment  of  a unique  identification  to  each 
individual  user. 

(b)  encourages  privacy  of  identification  numbers  and 
passwords. 

(c)  discourages  multiple  employee  use  of  a single 
identification  number. 

(d)  periodically  reviews  logon  identification  number  activity 
and  suspends  those  logon  identification  numbers  not  used 
within  the  past  90  days. 

(e)  suspends  logon  identification  numbers  of  terminated 
Department  of  Administration  employees. 

(f)  suspends  logon  identification  numbers  of  terminated 
agency  employees  when  informed  of  termination  by 
agency  management. 

(g)  reassigns  logon  identification  numbers  based  upon  agency 
requests. 

(2)  To  prevent  the  unauthorized  use  of  logon  identification 
numbers  and  potential  unauthorized  access  to  agency 
resources,  agency  management: 

(a)  assures  that  employees  do  not  share  identification 
numbers  and  passwords  with  other  individuals. 

(b)  determines  employee  or  contractor  access  authorization  to 
agency  resources  based  upon  individual  responsibilities 
and  subsequently  alters  access  authorization  consistent 
with  changes  in  agency  procedures  and  individual 
responsibilities. 

(c)  suspends  logon  identification  numbers  of  terminated 
employees. 

Dial-Up  Access  to  Mainframe . 

(1)  The  Department  of  Administration  monitors  the  use  of 

dial-up  access  to  the  central  computer  system.  Daily  reports 
are  available  to  agency  management  identifying  the  date, 
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time,  logon  identification,  and  system  used  for  each  dial-up 
access. 

Section  1-0250.20  MOM.  Public  Access  to  Central 
Computer. 

Definitions. 

" Data  and  Information  Technology  Resources"  means  data 
processing  mainframe,  microcomputer  hardware,  peripherals, 
software,  special  forms,  personnel,  facility  resources,  maintenance, 
training,  electronically  stored  data,  or  other  related  resources. 

"Public  Access"  means  the  services  provided  by  the  Information 
Services  Division  for  the  purpose  of  sharing  centrally  stored  public 
information. 

"Unauthorized  Use  or  Access"  means  to  use  or  gain  access  to 
information  without  the  express  permission  of  the  information’s 
owner. 

Public  Access  Provision. 

(1)  Public  access  services  will  be  available  during  normal  hours 
of  network  availability. 

(2)  Agencies  must  notify  the  Department  of  Administration  at 
least  two  (2)  months  prior  to  scheduled  implementation  of  a 
new  public  access  application.  A formal  review  will  be 
scheduled.  This  review  will  cover  access  methods,  billing, 
security,  screen  design  and  programming  guidelines  and 
documentation.  It  will  not  be  a coding  design  review. 
Documentation  provided  by  the  agency  must  meet 
documentation  standards  as  specified  in  Section  1-0232.00 
MOM. 
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(3)  The  Department  of  Administration  should  be  involved  as 
early  as  possible  in  the  design  of  public  access  applications. 
System  designs  must  be  consistent  with  other  public  access 
applications  to  provide  a uniform  public  interface.  (See 
Public  Access  System  Design  guidelines.)  Early  involvement 
can  help  avoid  last-minute  design  changes. 

(4)  Security  must  be  provided  and  maintained  by  the  agency 
which  owns  the  application  and  the  data.  The  Department  of 
Administration  can  help  with  proper  access  rules. 

(5)  All  public  access  applications  will  be  restricted  to  a separate 
public  region  called  PACICS. 

Limited  Public  Access. 

(1)  Limited  public  access  is  available  for  applications  which  are 
needed  by  only  certain  people  or  organizations. 

(2)  The  agency  shall: 

(a)  Assume  complete  responsibility  for  the  application  and 
the  users; 

(b)  Maintain  a means  to  add,  delete  and  bill  users; 

(c)  Provide  data,  programming,  documentation,  and  access 
support  to  users; 

(d)  Assist  users  in  solving  problems. 

(3)  The  Department  of  Administration  shall: 

(a)  Provide  computer  time  and  access  ports; 

(b)  Provide  access  to  ISD’s  billing  records; 

(c)  Add  and  delete  users  per  agency  authorization; 

(d)  Assist  agency  personnel  in  solving  problems; 

(e)  Bill  the  agency  directly  based  on  then  current  Department 
of  Administration  charges. 
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Unlimited  Public  Access. 


(1)  Unlimited  public  access  is  available  for  applications  which 
are  available  to  all  people  and  when  direct  billing  of  users  is 
desired. 

(2)  The  agency  shall: 

(a)  Provide  data  and  take  responsibility  for  its  accuracy; 

(b)  Provide  and/or  authorize  all  application  programs  to 
insure  that  the  data  is  presented  to  the  public  in  the 
appropriate  context; 

(c)  Supply  the  Department  of  Administration  with  up-to-date 
documentation; 

(d)  Maintain  a person  and  telephone  number  to  answer  public 
questions  concerning  the  application  data; 

(e)  Assume  financial  liability  for  the  data  and  program 
accuracy. 

(3)  The  Department  of  Administration  shall: 

(a)  Not  prohibit  or  screen  requests  for  access  to  an 
application; 

(b)  Bill  the  public  or  the  agency  using  the  Department  of 
Administration’s  current  public  access  billing  method; 

(c)  Add  and  delete  users; 

(d)  Provide  first  line  access  support; 

(e)  Provide  computer  time  and  necessary  ports. 

Liability  for  Unauthorized  Use  or  Access. 

(1)  Liability  for  the  activity  of  the  public  user  lies  with  the 
agency  that  authorized  the  logon  identification. 

(2)  The  Department  of  Administration  disclaims  liability  to  the 
public  for  the  unavailability  of  data  due  to  a computer  or 
other  technical  failure. 
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Section  1-0250.30  MOM.  Home  Access  to  Central 
Computer. 

Definitions. 

" Home  Access  " means  to  access  the  central  computer  via  a 
workstation  or  device  located  on  property  other  than  that  owned  or 
operated  by  the  State  of  Montana. 

Authorization  for  Home  Access . 

(1)  Agencies  are  responsible  for  granting  home  access  to 
employees  based  on  sound  business  reasons.  Agencies 
should  incorporate  the  following  considerations  into  a policy 
used  to  determine  whether  or  not  to  authorize  home  access: 

(a)  Criticality.  Home  access  should  be  authorized  only  for 
those  employee  tasks  that  are  critical  to  state  operations. 

(b)  Response  Time.  Home  access  should  be  authorized  in 
those  instances  where  faster  response  is  necessary  than 
can  be  provided  by  use  of  terminals  in  the  work  place. 

(c)  Security.  Home  access  should  be  authorized  only  when 
the  increased  potential  for  unauthorized  access  is  justified 
by  the  benefits  to  be  gained  from  home  access. 

(d)  Economic.  Home  access  should  be  authorized  only  in 
those  instances  where  savings  will  be  realized  — reduced 
elapsed  time  to  recover  a system  or  eliminating  time  for 
travel  to  the  workplace,  etc. 

Management  Controls. 

(1)  Agencies  are  responsible  for  monitoring  the  extent  and  type 
of  access  to  the  central  computer  via  home  access.  The 
Department  of  Administration  records  all  home  access  to  the 
central  computer  and  will  provide  the  information  on  request. 
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Limitations. 


(1)  The  following  limitations  should  also  be  considered  in  agency 
policies  for  home  use  of  computers: 

(a)  Employment  Status.  Home  access  must  be  limited  to 
employees  exempt  from  the  overtime  provisions  of  the 
Fair  Labor  Standard  Act. 

(b)  Official  State  Business.  All  access  to  the  central 
computer  must  be  limited  to  official  state  business. 
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Section  2-12-102  Administrative  Rules  of  Montana 
(ARM). 

(1)  The  facilities  of  the  state’s  telecommunications  systems  are 
provided  principally  for  the  conduct  of  state  business.  In 
addition  to  state  business,  the  state’s  telecommunications 
systems  may  be  used  by: 

(a)  local  political  subdivisions  of  the  state,  for  the  conduct  of 
their  business; 

(b)  residents  in  housing  of  the  Montana  University  System, 
for  their  calls  originating  on  the  university  system 
campuses;  and 

(c)  state  employees  and  officials  for  local  and  long-distance 
calls  to  latch-key  children,  teachers,  doctors,  day-care 
centers  and  baby  sitters,  to  family  members  to  inform 
them  of  unexpected  schedule  changes,  and  for  other 
essential  personal  business.  The  use  of  the  state’s 
telecommunication  systems  for  essential  personal  business 
must  be  kept  to  a minimum,  and  not  interfere  with  the 
conduct  of  state  business.  Essential  personal  long- 
distance calls  must  be  either  collect,  charged  to  a third 
party  non-state  number,  or  charged  to  a personal  credit 
card.  (History:  Sec  2-17-302  MCA;  IMP,  2-17-302,  Eff. 
12/31/72;  AMD.  1987  MAR  p.  2086,  Eff.  11/13/87; 
AMD.  1990  MAR  p.  928,  Eff,  5/18/90.) 
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SummitNet  Acceptable  Use  Policy  (abbreviated) 

SummitNet  Defined 

SummitNet  is  the  state's  telecommunications  nucleus  network  or 
backbone  connecting  agency,  University,  K-12,  library,  and  local 
government  networks.  SummitNet  provides  connectivity  to  Internet, 
the  world's  largest  network  of  individuals,  governments,  organizations, 
universities,  schools,  and  companies. 

SummitNet  Acceptable  Use 

SummitNet  is  to  be  used  for:  the  conduct  of  state  and  local  government 
business  and  delivery  of  government  services;  the  support  of 
instruction,  learning,  training,  educational  administration,  research,  and 
grant  procurement;  the  increased  participation  of  citizen  oversight  of 
government  affairs;  and  the  promotion  of  economic  development. 

SummitNet  users  may  be  subject  to  restrictive  or  limited  use  of  the 
network,  including  the  access  of  Internet,  as  determined  by  a 
supervising  authority  or  administrator. 

Internet  Acceptable  Use 

Internet  is  to  be  used  for  transmitting  and  sharing  of  information  among 
governmental,  research,  and  educational  organizations.  SummitNet 
users  may  access  Internet  to:  support  open  research  and  education  in 
and  between  national  and  international  research  and  instructional 
institutions;  communicate  and  exchange  professional  information; 
encourage  debate  of  issues  in  a specific  field  of  expertise;  apply  for  or 
administer  grants  or  contracts;  announce  requests  for  proposals  and 
bids;  announce  new  services  for  use  in  research  or  instruction;  and 
conduct  other  appropriate  state  business. 

SummitNet  and  the  Internet  are  not  to  be  used  for  “for-profit”  activities 
or  for  extensive  use  for  private,  recreational,  or  personal  business. 
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Glossary  of  Acronyms 


ARM 

Administrative  Rules  of  Montana 

BSA 

Business  Software  Alliance 

BBS 

Bulletin  Board  System 

CPU 

Central  Processing  Unit 

DOS 

Disk  Operating  System 

e-mail 

Electronic  Mail 

IDMS 

Integrated  Data  Management  System 

ISD 

Information  Services  Division,  Dept,  of  Administration 

IT 

Information  Technology 

ITAC 

Information  Technology  Advisory  Council 

ITMG 

Information  Technology  Managers  Group 

MCA 

Montana  Code  Annotated 

MOM 

Montana  Operations  Manual 

PC 

Personal  Computer 

SummitNet 

State  and  Universities  of  Montana  Multi-Protocol  Network 

UPS 

Uninterruptible  Power  Supply 
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